The way authorization is implemented in SonarQube is pretty standard. It is possible to create as many users and groups of users as required in the system. The users can then be attached (or not) to (multiple) groups. Groups and / or users are then given (multiple) permissions. The permissions grant access to projects, services and functionalities.

Group

A group is a set of users.

To create a new group, go to Settings > Groups > Add new group:

To add/remove users to/from a group:

Two groups have a special meaning:

Anyone is a group that exists in the system, but that cannot be managed. Every user belongs to this group, including "anonymous."

sonar-users is the default group to which users are automatically added. This group can be changed through Settings > General Settings > Security > sonar.defaultGroup property.

Global Permissions

To set global permissions, log in as a System administrator and go to Settings > Global Permissions.

Administer System: Ability to perform all administration functions for the instance: global configuration and personalization of default dashboards.

Administer Quality Profiles: Ability to perform any action on the quality profiles. Available since version 3.6.

Share Dashboards and Filters: Ability to share dashboards, issue filters and measure filters. Available since version 3.7.

Execute Analysis: Ability to execute analyses, and to get all settings required to perform the analysis, even the secured ones like the scm account password, the jira account password, and so on. Available since version 3.7.

Execute Local Analysis (Dry Run): Ability to execute local (dry run) analyses without pushing the results to the server, and to get all settings required to perform a local analysis. This permission does not include the ability to access secured settings such as the scm account password, the jira account password, and so on. This permission is required to execute a local analysis in Eclipse or via the Issues Report plugin. Available since version 3.7.

Project Permissions

Three different permissions can be set on projects (projects, views, developers):

Users have the ability to see that a project exists, browse the measures and create/edit issues on the project

Code viewers have the ability to view the source code of the project. You must have the Users permission on a project to make use of the Code viewers permission.

Administrators have the ability to perform administration tasks for the project by accessing its settings. You must have the Users permission on a project to make use of the Administrators permission .

Note that permissions are not cumulative. For instance, if you want to be able to administer the project, browse the measures and browse the source code, you have to be given the three permissions: Administrators, Users and Code viewers.

You can either manually grant permissions for each project to some users and groups or apply permission templates to projects (since version 3.7).

Manually grant permissions for each project to some users and groups

Log in as a System administrator and go to Settings > Project Permissions > Projects (was Settings > Roles prior to version 3.7):

For versions prior to 3.7, it is done through the "Default roles for new Projects" table:

In the example below, once a new project has been created:

All the users in the sonar-administrators group can administrate (Administrators), access the project (Users) and browse the source code (Code viewers).

The myAuditor user can access the project (Users) and browse the source code (Code viewers).

Import Source Code

For security reasons, you can prevent SonarQube to upload the source code to the database when analyzing a project. To do so, log in as a System administrator, go to Settings > General Settings > Security and set the sonar.importSources property to false.

Note that if you want to restrict the access to the source code for some users only, grant the Code viewers permission accordingly.